10-10-2020

718

Log Tampering ! Cover your tracks like a pro

Getting caught is exactly what every hacker does not want. They want to be able to gain entry into a system and then quickly withdraw to the safety of the internet café they are presumably hacking from. Logs are designed to record nearly everything that occurs in a system, including hacking attempts, and can be the determinative factor in catching hackers after their crime has been committed. 

Ethical hackers need to understand how hackers tamper with logs, as it is a common practice with hackers. This article will detail the basics of log tampering for ethical hackers, including disabling auditing, clearing logs, modifying logs and erasing command history. The focus will be on Windows and Linux logs, as they are the most used by organizations. 

Please note that this article is intended as an introduction to log tampering for ethical hacking purposes only.

 

 

What are logs ?

Detailed list of an application information, system performance, or user activities. A log can be useful for keeping track of computer use, emergency recovery, and application improvement. Each software program that is capable of creating a log has different methods of starting or stopping the log creation

An example of a software log file can be found in the Microsoft Windows 2000 and Windows XP Event Viewer, which logs events, errors, and other information occurring in Microsoft Windows.

 

Many web pages, including Computer Hope, keeps logs of what pages users access, any errors that occur, how people are viewing the page, and more. These logs help the owners of the web page keep track of usage statistics and informs them if something needs to be fixed or updated on the site. Google Analytics is a great example of a free service that monitors this information

In terms of analogies, hacking is sort of like stealing cookies from the cookie jar. Every cookie thief, or hacker, wants to be able to get in there and do what their dirty deeds before getting caught. 

Now imagine that this cookie jar is surrounded by fresh snow that covers everything around it. It would be impossible to even get to the cookie jar without leaving tracks — just as it would be impossible to gain entry to a system without being detected. Tampering with logs is the equivalent of covering these obvious tracks that administrators use to catch hackers.

 

The process

There is a four-step process to covering your tracks by tamping with logs that hackers know like the back of their hand. These steps are:

 

  1.  Disable auditing
  2. Clearing logs
  3. Modifying logs
  4. Erasing command history

 

1. Disable auditing

Disable auditing is a smart first step for hackers because if logging is turned off, there will be no trail of evidence. 

In Windows systems, hackers can use the command line favorite, Auditpol, which will not only allow the hacker to disable auditing but will also allow the hacker to see the level of logging that the organization’s system administrator has set. Knowing this will help the hacker see what is logged. This is important because when possible, hackers like to turn off or alter only the logging that captured their activity — making them harder to track.

 

2. Clearing logs

Since logs preserve the evidence trail of hacking activities, clearing logs is the logical next step for ethical hackers to know about. 

How to clear logs in Windows

There are a few ways to clear logs in Windows systems. Presented below are the top methods for performing this track-clearing tactic.

Clearlogs.exe

One way is to use the clearlogs.exe file, which can be found here. Once access to the target Windows system is obtained, the file needs to be installed and then run to clear the security logs. To run the file, enter the following into a command line prompt:

clearlogs.exe -sec

This will clear security logs on the target system. To verify if it has worked, open Event Viewer and check the security logs. Voila! 

Please note — if the hacker does not remove clearlogs.exe, it will serve as hard evidence of log tampering. If this occurs in a Windows 10 system or Windows Server 2016, event ID 1102(S) will be displayed as an event, and overlooking this is a common error many beginner hackers make. 

Meterpreter

Originally created by Metasploit and Matt “Skape” Miller in 2004, this advanced payload is a type of shell that, without getting too technical, will help to clear all logs in a Windows system in newer versions of Meterpreter. After compromising the system with Metasploit, use a Meterpreter command prompt and enter the following command:

Meterpreter > clearev

This will present the ethical hacker with a window stating that all of the security, application and system logs have been cleared. 

Windows Event Viewer

Even if auditing has been disabled, it is still smart to clear logs in Windows Event Viewer because actions like disabling auditing will display as an event. To perform this simple task, first navigate to Event Viewer under Windows Logs in the folder tree. In the left-hand pane, right-click on the type of logs you want to clear and select Clear All Events. Boom! Done. 

Linux systems

Linux systems have their own process of log clearing. To perform this, you want to use the Shred tool. To shred and erase the log file on the target system, run the following bash command:

Shred -vfzu auth.log

Just like that, with one command your logged tracks in Linux have been wiped out.

 

3. Modifying logs

Knowing is half the battle, and knowing where the logs are in your target system is crucial for any hacker.

Being that you are an ethical hacker working on behalf of your organization, you will already know their location. Inexperienced hackers may not, causing wasted time and an increased chance of detection. In some cases, a text editor may be needed to modify logs; regardless, it as easy as modifying a Word file.

In Windows 8 and 7, these instructions assume you are using either Large or Small Icon view.

 

Log into your computer as an administrator.

Note:

Security of Information Technology Resources policy (IT-12)  requires that you normally refrain from running your Windows computer as an administrator. For more, see About the principle of least privilege.

In Windows 8, press Win-q and select Control Panel. Alternatively, in Desktop view, move the mouse to the bottom right corner of the screen and select Settings, followed by Control Panel.

For help navigating, see Get around in Windows.

In Windows 7 and Vista, from the Start menu, open Control Panel.

Open Administrative Tools, and then Computer Management.

In the left frame, double-click Event Viewer, and then Windows Logs.

Right-click Security and choose Clear Log.... You will have the option to save the details of the log. After you respond to this prompt, the log will be cleared.

 

4. Deleting commands

The thing with bash is that it retains the history of entered bash commands, so unless you clear it, the administrator will be able to see that the Shred command above was entered. The retained history of bash commands is found in the file ~/.bash_history. 

How to clear the contents of a log file from the command line

Say you want to clear the contents of a log file named /var/log/messages, run:
# >/var/log/messages
The following is compatible with various Linux or Unix shells:
: > /var/log/messages
Verify file size:
# ls -l /var/log/messages
If you really wanted to delete or remove a file type the following rm command:
# rm /var/log/message

Delete a log files in Linux or UNIX using truncate

Use the truncate command to shrink or extend the size of each FILE to the specified size. So a proper way to clear log file named www.cyberciti.biz_access.log is to run the following command:
# cd /var/log/nginx/
# ls -lh www.tech2secure_access.log
# truncate -s 0 www.tech2secure.biz_access.log
# ls -lh www.tech2secure.biz_access.log

Clear the contents of a file named /var/log/nginx/www.cyberciti.biz_access.log from the command line

Other commands to empty or delete a large file content in Linux

Try the cat command:
cat /dev/null > www.tech2secure.biz_access.log
Or the cp command:
# cp /dev/null /var/log/nginx/php_error.log

How do I clear log file using dd on Linux or Unix?

Type dd command as follows:
# dd if=/dev/null of=/path/to/log/file
# dd if=/dev/null of=/var/log/lighttpd/error_log

How to empty or truncate a file in Linux using echo/printf

One more method is to use the echo command:
# echo -n "" > /path/to/java/appserver.log

 

 

 

 

 

Related Posts

Meet Raspberry Pi Killer - The DFRobot LattePanda

Want to build your own data center virtually ? Try GNS3

What is GNS3? GNS3 (Graphical Network Simulator) is an open source software that simulate complex networks while being as close as possible to the way real networks perform. All of this without having dedicated network hardware such as routers and switches. This software provides an intuitive graphical user interface to design and configure virtual networks, it runs on traditional PC hardware and may be used on multiple operating systems, including Windows, Linux, and MacOS X. GNS3 is used by hundreds of thousands of network engineers worldwide to emulate, configure, test and troubleshoot virtual and real networks. GNS3 allows you to run a small topology consisting of only a few devices on your laptop, to those that have many devices hosted on multiple servers or even hosted in the cloud.